A hospital’s failure to appropriately safeguard patient health information cost it a $387,000 settlement with the U.S. Department of Health and Human Services (HHS).
An announcement from HHS details an impermissible disclosure of protected health information (PHI) by the Spencer Cox Center for Health, now the Institute for Advanced Medicine run by St. Luke’s-Roosevelt Hospital Center in New York City.
According to a complaint lodged with the HHS Office for Civil Rights (OCR) in September 2014, staff from the Spencer Cox Center, which provides care for patients with HIV/AIDS in addition to individuals suffering from other chronic diseases, faxed PHI including HIV status to a patient’s employer rather than sending it to a post office box as the patient requested.
The OCR subsequently discovered that the Spencer Cox Center had experienced a data breach nine months prior to the one in the complaint but had failed to implement safeguards or otherwise address gaps in its compliance.
The settlement comes amid a steady stream of similar actions by the OCR, following high-profile breaches involving cybersecurity failures, among others. The St. Luke’s-Roosevelt settlement is in the same ballpark as that paid by a Colorado provider for HIPAA violations and significantly less than the $2.4 million paid by Memorial Hermann Health System. The size of the latter fine raised eyebrows among privacy lawyers.
“Individuals cannot trust in a healthcare system that does not appropriately safeguard their most sensitive PHI,” said Roger Severino, director of the OCR. He went on to note that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires both covered entities and associates to identify vulnerabilities and take corrective action.
"In exercising its enforcement authority, OCR takes into consideration aggravating factors such as the nature and extent of the harm caused by failure to comply with HIPAA requirements,” he warned.